VulnerableCode Package Details - pkg:deb/debian/httpcomponents-client@4.1.1-2%2Bdeb7u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2phd-tw5c-xbdb Aliases: CVE-2013-4366 GHSA-pqwh-44jj-p5rm	http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.	4.3.5-2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3bxq-vmjj-kqfe Aliases: CVE-2014-3577 GHSA-cfh5-3ghh-wfjx	org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.	4.3.5-2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3ur6-9s61-13a3 Aliases: CVE-2015-5262 GHSA-fmj5-wv96-r2ch	http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.	4.5.2-2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-mrdq-9pb2-3qb5 Aliases: CVE-2020-13956 GHSA-7r82-7xv7-xcpj	Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.	4.5.7-1+deb10u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.5.13-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2phd-tw5c-xbdb
Aliases:
CVE-2013-4366
GHSA-pqwh-44jj-p5rm

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

4.3.5-2
Affected by 2 other vulnerabilities.

VCID-3bxq-vmjj-kqfe
Aliases:
CVE-2014-3577
GHSA-cfh5-3ghh-wfjx

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

4.3.5-2
Affected by 2 other vulnerabilities.

VCID-3ur6-9s61-13a3
Aliases:
CVE-2015-5262
GHSA-fmj5-wv96-r2ch

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

4.5.2-2
Affected by 1 other vulnerability.

VCID-mrdq-9pb2-3qb5
Aliases:
CVE-2020-13956
GHSA-7r82-7xv7-xcpj

Cross-site scripting in Apache HttpClient Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

4.5.7-1+deb10u1
Affected by 1 other vulnerability.

4.5.13-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-qyy2-d6f6-gbaq	Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.	CVE-2011-1498 GHSA-gw85-4gmf-m7rh

Vulnerability

Summary

Aliases

VCID-qyy2-d6f6-gbaq

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

CVE-2011-1498
GHSA-gw85-4gmf-m7rh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-15T22:15:13.871695+00:00	Debian Oval Importer	Affected by	VCID-2phd-tw5c-xbdb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T21:14:09.335182+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T20:27:21.190689+00:00	Debian Oval Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T19:13:51.218685+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:24:34.656847+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T15:09:48.336847+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.4.0
2026-04-11T21:52:51.487548+00:00	Debian Oval Importer	Affected by	VCID-2phd-tw5c-xbdb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T20:53:56.411530+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T20:08:51.748403+00:00	Debian Oval Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T18:57:24.314522+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:10:57.760101+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T14:58:06.593921+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.3.0
2026-04-08T21:30:18.130188+00:00	Debian Oval Importer	Affected by	VCID-2phd-tw5c-xbdb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T20:33:24.789214+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T19:50:13.323372+00:00	Debian Oval Importer	Fixing	VCID-qyy2-d6f6-gbaq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T18:42:00.378695+00:00	Debian Oval Importer	Affected by	VCID-3bxq-vmjj-kqfe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:59:58.344670+00:00	Debian Oval Importer	Affected by	VCID-3ur6-9s61-13a3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-07T23:30:07.656611+00:00	Debian Oval Importer	Affected by	VCID-mrdq-9pb2-3qb5	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.1.0